Security Memo: Response to Risk Advisory Memo from Tenable

Multiple security vulnerabilities were recently found in several wireless sharing products. These findings were outlined in a Risk Advisory Memo, published by Tenable on May 2, 2019. While our Solstice product was not one of those listed in the Risk Advisory Memo, we wanted to use this opportunity to clarify our approach and affirm our commitment to the highest level of security in light of these recent findings.

We have re-assessed our security position in light of the recent findings, and the Solstice Pod is not at risk.

There are several attack vectors that Tenable outlines related to these vulnerabilities. For each, we’ve either validated that those systems are not included in the Solstice Pod or that the necessary hardening features are already in place. For example, one exploit leverages the SNMP protocol to load additional commands into wireless units. The protocol is also susceptible to man-in-the-middle attacks. This can lead to full root access. The Solstice Pod does not utilize the SNMP protocol directly and instead makes use of a custom control protocol for configuration and monitoring. The Solstice configuration protocol makes use of RSA-based in-line encryption to ensure that no man-in-the-middle is possible. Furthermore, all commands that are sent to the Pod must pass through a strict command whitelisting algorithm that detects and eliminates any command that embeds additional, unknown payloads.

Tenable researchers also discovered that new code could be installed on these units, potentially transforming them into untrusted devices on the enterprise network. The Solstice Pod will not allow execution of any application that is not code signed by Mersive using our private key stored on the build servers at Mersive headquarters. Each time an executable runs it must be validated against our secure code signing; otherwise, it will simply not execute.

For security reasons, we cannot go into all the methods used to ensure that the Solstice Pod cannot be exploited, subverted or breached. We encourage our customers and partners to review the most recent third-party penetration testing assessment of the Solstice Pod. This report is available via our secure online data room under NDA. That same data room holds a more detailed description of the security features that have been built into the Pod to support secure, large-scale deployments on the enterprise network. Contact your customer success representative or sales director to gain access to the online data room.

Security is top of mind for Mersive, and we will continue to monitor the NIST vulnerability database and periodically update our penetration testing results to ensure we are staying current. Please let us know if you have questions or want to set up a live discussion with your security team.